AW: LDAP attribute update for clients

DEV dev at dolphin-dev.com
Mon Feb 22 17:24:38 CET 2021


Hi Alan,

thank you. My definition of client is the NAS.

There is no control site, did you mean this?
https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/sites-available/control-socket

I need to write to LDAP, as I need to make this information available this way. As the number of requests is low, this is not an issue.

For authentication, the request in FR has two kinds of credentials:
1) the enduser when signing into a service like PPP
2) the NAS credentials (shared secret) to connect to the radius server

Case 1 is already working, for case 2 I don't know which section it is (or if it's possible at all).

As I did not use Radmin before (as I did not need it before), I assume from your explanation that it shows the data ("NAS last seen") - I just need it to write it back to the LDAP object, just like 1 does.

Is there a "post-auth update" equivalent for NAS?

Thank you!

Kind regards
Kevin

________________________________________
Von: Freeradius-Users <freeradius-users-bounces+dev=dolphin-dev.com at lists.freeradius.org> im Auftrag von Alan DeKok <aland at deployingradius.com>
Gesendet: Montag, 22. Februar 2021 16:38
An: FreeRadius users mailing list
Betreff: Re: LDAP attribute update for clients

On Feb 22, 2021, at 9:24 AM, DEV <dev at dolphin-dev.com> wrote:
> Is it possible to configure FR to write the last authentication attempt from a client (NAS) to LDAP?

  Update post-auth with an LDAP query.

> For users I can set this:
> https://bitbucket.org/code-orange/django-cdstack-tpl-accessradius/src/cad14059236673c2152ea4febf9181bab22248fb/django_cdstack_tpl_accessradius/templates/config-fs/static/etc/freeradius/mods-available/ldap#lines-57
>
> Is there something similar for the clients? I'm interested in the same attribute update to see which clients are dead.

  I'm not sure what you're asking here.

  The processing sections are run when the server receives a packet.  i.e. Access-Request gets processed through authorize, authenticate, post-auth.  There's no concept of "user" versus "client" here.  It's just a packet with src/dst IP, and various contents.

  So if you want to update LDAP when FreeRADIUS receives a packet, just write things in "authorize" to update LDAP.  It's not more complicated than that.  The main issue here is that LDAP is intended to be read-many, write-rarely.  So doing LDAP writes on every packet received will likely cause issues.

  But... if you want to see which clients are dead, see sites-available/control, and the "radmin" command.  You can ask the server about a particular client, and it will tell you when the server last received a packet from that client.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list